Microsoft routinely shared Indian bank customers’ financial details with the US intelligence agencies, a bank document related to Reserve Bank of India (RBI)’s risk observation, according to a report in DNA.

The data of customers running an account with banks that have migrated to Microsoft Office 365 cloud-based email service has been found to have been shared with the US agencies.

Reserve  Bank of India has flagged the data sharing by the service provider in its Risk Assessment Report (RAR), which has been placed before the banks’ audit committees for a response.

Customers may not be aware that their financial details are being shared with the US security and intelligence agencies. But Indian banks are fully aware of the development.

According to the response of RBI’s observation, banks know that Microsoft might be sharing their customers’ data to US agencies since they had purchased and migrated to Microsoft’s cloud-based email service - Office 365.

In a specific case, RBI observed in its risk report, “All the mailboxes had been migrated to office 365 Microsoft cloud environment.

It was gathered from the Microsoft transparency hub that Microsoft is bound to share customers’ data under US Foreign Intelligence Surveillance Act (FISA) and US national security letters as and when required by the US authorities.”

According to the RBI observation,submited to an audit committee of a bank, from 2014 to 2016, Microsoft had disclosed information on 3,036 occasions after more than 4,000 government requests or legal demand requests for Indian customers in the US.

Banks have entered into a deal with Microsoft regarding the data sharing of their customers. In response to the RBI risk assessment observation, seen by DNA Money, a bank acknowledged that they have agreed with Microsoft, and according to the deal, Microsoft will only share the bank customers’ data if the order was issued by the government of India or an Indian court.

In the case of the US, the bank responded, “The US government issues gag orders for the same with prior intimation to us. We have incorporated appropriate provision to that effect in the legal agreement.”

More than 100 million people use Office 365 commercial, according to a latest Microsoft report.

DNA Money asked banks about how many US authorities’ requests have been responded and have been disclosed the Indian customers’ details by your email provider-- Microsoft – in the last five years (2014-2018). Several attempts to contact RBI and banks, through email and SMS on the issue did not elicit any response, except from State Bank of India (SBI) and Bank of Baroda.

An SBI spokesperson said, “In 2016 and 2017, Microsoft has advised that they received zero demands from the US law enforcement for commercial enterprise content (50+ seats) located outside the United States. In the first half of 2018, the latest time period for which Microsoft has data available, there was one demand from the US government for content data of a commercial enterprise located outside of the United States and Microsoft notified the customer, which is not SBI.”  

On customer data sharing issue, Bank of Baroda said, “Protecting the interests of our esteemed customers is of paramount importance to us. The bank’s ‘systems and operations’ are robust – we stand committed to protecting our customers’ interests, and we have all the necessary systems in place to ensure the same.”

However, a cyber law expert said India needs stringent laws against such practices. Achen Jakher, advocate, Cyber Law, told DNA Money, “Preserving consumer information is extremely important in today’s digital world, especially critical financial information. Intermediary technological firms have to adhere to Supreme Court guidelines to not share data with third parties and not take the data out of the country under any circumstance. Unfortunately, IT companies find multiple loopholes citing technological implementation and flout this rule. It is the need of the hour to come up with stringent laws against such practices. We have to work towards protecting sensitive data of consumers and not share this data for paltry gains.”

Microsoft did not respond to the specific questions, but firmly defended its position on privacy.

A Microsoft spokesperson told DNA Money, “No government has direct access to any of our users’ data. Data privacy is a top priority for us. We never provide customer data unless we receive a legally valid warrant, order or subpoena about specific accounts or individual identifiers that we have reviewed and consider legally appropriate and consistent with the rule of law and our Microsoft principles. Absent extraordinary circumstances, in the vast majority of cases we redirect governments to seek data directly from commercial customers or to allow us to tell our commercial customers when the government seeks their data.”
OFFICE SECRETS

    From 2014 to 2016, Microsoft had disclosed information on 3,036 occasions after more than 4,000 government requests or legal demand requests for Indian customers in the US  
    Banks know that Microsoft might be sharing their customers’ data to US agencies

Courtesy : DNA